Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/JanaWare Ransomware Uses Adwind RAT to Target Turkish Users
Threats

JanaWare Ransomware Uses Adwind RAT to Target Turkish Users

Key Takeaways A new ransomware variant, JanaWare, is actively targeting users and small businesses in Turkey. The attack chain leverages a customized version of the Adwind Remote Access Trojan (RAT)...

Marcus Rodriguez
Marcus Rodriguez
April 15, 2026 5 Min Read
28 0

Key Takeaways

  • A new ransomware variant, JanaWare, is actively targeting users and small businesses in Turkey.
  • The attack chain leverages a customized version of the Adwind Remote Access Trojan (RAT) for initial compromise and reconnaissance.
  • Attackers use phishing and social engineering with localized lures to distribute the RAT, then selectively deploy JanaWare ransomware based on victim profiling.
  • The campaign combines a well-known RAT with new ransomware logic and a targeted distribution model, posing a significant risk to Turkish users.

New JanaWare Ransomware Leverages Customized Adwind RAT to Target Turkish Users

Cybersecurity researchers have identified a new ransomware family, dubbed JanaWare, actively targeting computer users and small businesses in Turkey. This emerging threat distinguishes itself by employing a modified version of the Adwind Remote Access Trojan (RAT) to gain initial access and conduct reconnaissance on victim systems before deploying its encryption payload.

Table Of Content

  • Key Takeaways
  • New JanaWare Ransomware Leverages Customized Adwind RAT to Target Turkish Users
  • Targeting Strategy and Initial Compromise
  • Discovery and Technical Analysis by Acronis
  • Infection Mechanism and Customized Adwind Use
  • What You Should Do

The campaign exhibits a sophisticated blend of familiar tactics and novel elements. By integrating a widely recognized cross-platform RAT with fresh ransomware code and a distribution strategy specifically tailored for Turkish users, the threat actors create a potent and uniquely dangerous risk for individuals and small enterprises in the region.

Targeting Strategy and Initial Compromise

Analysis of the ongoing operation indicates a primary focus on individual users and small businesses. These entities often possess weaker security infrastructures, making them more susceptible to email-based attacks. The attack sequence typically commences with phishing or socially engineered messages designed to persuade victims into opening malicious attachments or clicking on malicious links. These lures are frequently disguised as routine documents or business-related files, presented in the Turkish language to enhance their credibility and effectiveness. Further details on this campaign can be found in a comprehensive security analysis.

Upon interaction with these deceptive elements, the customized Adwind RAT is surreptitiously installed on the victim’s machine. This grants the attacker remote control over the compromised system, setting the stage for subsequent phases of the attack. During this initial phase, files are not immediately encrypted. Instead, the RAT is utilized to survey the system, gather intelligence about the victim, and only download the JanaWare ransomware payload if the target is deemed valuable or sufficiently interesting by the attackers, as highlighted in the security analysis document.

Discovery and Technical Analysis by Acronis

Acronis threat analysts were the first to identify this JanaWare activity. Their monitoring of Adwind-based intrusions revealed unusual behavioral patterns on Turkish endpoints, prompting a deeper investigation. Telemetry data and sandbox analysis conducted by Acronis revealed that the Adwind samples involved in this campaign contained additional modules and post-exploitation scripts that deviated from previously documented versions of the RAT. According to an Acronis report, their researchers correlated network traffic, command-and-control (C2) instructions, and the final encryption routine, confirming that a new ransomware strain was being delivered via the customized Adwind infrastructure, rather than as a standalone binary.

Once JanaWare is deployed, its impact is immediate and evident: critical documents, archives, images, and databases are encrypted and renamed with a unique extension associated with the campaign. A ransom note is then dropped, clearly explaining the situation, warning that files cannot be recovered without the attacker’s decryption key, and providing instructions for victims to establish contact. In some observed instances, the ransom note includes local-language instructions and pricing, suggesting that the operators have conducted regional research to optimize their chances of receiving payment. This combination of targeted language, selective deployment, and robust encryption can lead to significant disruption for individuals and small organizations lacking robust backup and recovery processes.

Infection Mechanism and Customized Adwind Use

The JanaWare infection mechanism is heavily reliant on Adwind, though the version employed in these attacks features significant customizations that expand its capabilities beyond standard remote access. After a victim opens the initial malicious attachment, the Adwind loader utilizes obfuscated scripts and a multi-stage deployment process to evade detection by antivirus software. It then unpacks the RAT into memory and establishes persistence through various methods, including registry entries, scheduled tasks, or user-level startup configurations. Acronis researchers observed that this customized Adwind variant periodically communicates with its C2 server to retrieve updated configuration data, which includes instructions on whether and when to deploy the JanaWare ransomware module.

The infection chain illustrates how a malicious document initiates execution, passing control to a script loader. This loader then fetches the Adwind payload and establishes a communication channel back to the attackers. This architecture allows the threat actors to separate their phishing infrastructure from the core malware, enabling rapid rotation of lures while consistently reusing the same RAT and ransomware components. Consequently, security measures focused solely on blocking suspicious attachments may fail to detect later-stage traffic or payload delivery occurring through Adwind’s C2 channel, as detailed in the security analysis.

Once Adwind is active, it systematically collects system information, such as hostname, operating system version, installed software, and a list of user files and folders. This inventory is then transmitted back to the attacker for review and profiling. Based on this profile, the operators can selectively deploy JanaWare by instructing the RAT to download and execute the ransomware from a remote server, often utilizing encrypted or encoded channels to avoid detection. Before encryption commences, the ransomware process may attempt to disable local security tools, terminate backup-related services, and delete shadow copies to hinder recovery efforts without paying the ransom. Throughout these stages, both the RAT and the ransomware employ basic but effective detection-evasion techniques, such as using common process names, implementing anti-analysis checks, and demonstrating environment awareness to minimize their exposure to automated analysis systems.

What You Should Do

  • Enhance Email Security: Implement robust email filtering solutions to block malicious attachments and links.
  • Conduct User Awareness Training: Educate employees and users about the dangers of phishing and social engineering, especially regarding suspicious attachments and links in Turkish-language or business-themed emails.
  • Implement Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions capable of identifying RAT behavior, suspicious C2 traffic, and unusual file encryption patterns to interrupt the attack chain.
  • Maintain Regular Backups: Ensure critical data is regularly backed up to offline or immutable storage to facilitate recovery without paying a ransom.
  • Patch and Update Systems: Keep operating systems, applications, and security software fully patched and up-to-date to mitigate known vulnerabilities.
  • Monitor Remote Access Tools: Closely monitor the usage and traffic of any legitimate remote access tools to detect anomalous activity.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarePatchphishingransomwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical Dragon Boss Solutions Vulnerability Exposes 25,000+ Endpoints

Next Post

Critical Microsoft Defender CVE-2023-XXXXX Zero-Day Lets Attackers Gain Admin Privileges

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us